IT Security RSS Feed for 2024-10-17

Posted on Edited on In Word count in article: 35k Reading time ≈ 32 mins.

IT Security RSS Feed for 2024-10-17

How to build an incident response plan, with examples, template

Read more

Published: Wed, 16 Oct 2024 11:00:00 GMT

Building an Incident Response Plan

1. Define the Scope and Objectives

  • Determine the types of incidents to be covered (e.g., cybersecurity, data breaches).
  • Define the goals and objectives of the plan, such as restoring operations, minimizing damage, and improving resilience.

2. Identify Key Roles and Responsibilities

  • Establish a clear chain of command and roles for the incident response team (IRT).
  • Define the responsibilities of each team member, including:
    • Incident detection and notification
    • Incident containment and mitigation
    • Communication and stakeholder management
    • Investigation and corrective action

3. Develop Incident Response Procedures

  • Detection and Notification: Establish mechanisms for detecting incidents, such as monitoring systems and threat intelligence. Determine how notifications will be escalated.
  • Containment and Mitigation: Define steps to contain the incident and prevent further damage. This may include isolating affected systems, patching vulnerabilities, and disabling user accounts.
  • Investigation and Analysis: Plan for how incidents will be investigated. This includes collecting evidence, analyzing logs, and conducting forensic analysis.
  • Correction and Recovery: Outline the steps for restoring affected systems and services. This may involve reimaging devices, restoring backups, and implementing new security measures.

4. Establish Communication Channels

  • Identify communication channels for internal and external stakeholders.
  • Develop templates for incident notifications, updates, and post-mortem reports.
  • Define communication protocols for sensitive information and media inquiries.

5. Integrate with Existing Processes

  • Ensure the incident response plan aligns with existing policies, procedures, and technical infrastructure.
  • Integrate incident response procedures into business continuity and disaster recovery plans.

6. Training and Exercises

  • Train the IRT on the incident response plan and their specific roles.
  • Conduct regular exercises to test the plan’s effectiveness and identify areas for improvement.

7. Maintenance and Improvement

  • Regularly review and update the incident response plan based on lessons learned from incidents and changes in the threat landscape.
  • Conduct post-incident analyses to identify areas for improvement and implement corrective actions.

Incident Response Plan Template

1. Scope

  • Overview of the types of incidents covered
  • Goals and objectives of the plan

2. Roles and Responsibilities

  • Incident Response Team members
  • Chain of command
  • Roles and responsibilities of each team member

3. Incident Response Procedures

  • Detection and Notification
    • Detection mechanisms
    • Notification process
  • Containment and Mitigation
    • Containment measures
    • Mitigation techniques
  • Investigation and Analysis
    • Evidence collection
    • Forensic analysis
  • Correction and Recovery
    • System recovery
    • Security enhancements

4. Communication

  • Internal and external communication channels
  • Notification and update templates
  • Communication protocols

5. Integration

  • Alignment with existing policies
  • Integration with business continuity and disaster recovery plans

6. Training and Exercises

  • Training schedule
  • Exercise scenarios

7. Maintenance and Improvement

  • Review and update schedule
  • Post-incident analysis
  • Corrective action implementation

Cato further expands SASE platform for ‘complete’ UK delivery

Read more

Published: Wed, 16 Oct 2024 04:22:00 GMT

Cato Networks has expanded its secure access service edge (SASE) platform to provide ‘complete’ secure connectivity to UK-based organisations.

The vendor claims that its platform is the first and only SASE solution that provides:

  • Direct peering with major cloud service providers (CSPs)
  • A global private backbone to connect branch locations, users, and cloud destinations
  • Centralised management, visibility, and control over the entire network

Cato’s SASE platform includes the following services:

  • Cloud-native secure web gateway (SWG) to protect users from web-based threats
  • Cloud-native firewall-as-a-service (FWaaS) to protect applications and data from cyberattacks
  • Zero trust network access (ZTNA) to provide secure access to private applications without the need for a VPN
  • SD-WAN/SASE WAN to provide secure and reliable connectivity to branch locations and cloud applications

The new capabilities of Cato’s SASE platform include:

  • Direct peering with Microsoft Azure and Google Cloud in the UK: This provides UK customers with faster and more reliable access to these cloud services.
  • Expanded global private backbone in the UK: This provides UK customers with more resilient and secure connectivity to their branch locations, users, and cloud destinations.
  • Centralised management, visibility, and control: This provides UK customers with a single pane of glass to manage their entire network, including their SASE services, branch locations, and cloud applications.

Cato’s SASE platform is delivered as a cloud-based service, making it easy for UK organisations to deploy and manage. The platform is also scalable, so it can be easily adapted to meet the changing needs of organisations.

“We are excited to expand our SASE platform to the UK,” said Shlomo Kramer, CEO and co-founder of Cato Networks. “Our platform will provide UK organisations with the secure and reliable connectivity they need to succeed in the digital age.”

Cato Networks is a leading provider of cloud-based networking and security solutions. The company’s SASE platform is used by organisations of all sizes to protect their users and data from cyberattacks. Cato Networks has been recognised as a Gartner Magic Quadrant Leader for SASE for two consecutive years.

NCSC expands school cyber service to academies and private schools

Read more

Published: Tue, 15 Oct 2024 09:55:00 GMT

NCSC Expands School Cyber Service to Academies and Private Schools

The National Cyber Security Centre (NCSC) has extended its Active Cyber Defence programme to include academies and private schools in England and Wales.

What is the Active Cyber Defence programme?

The Active Cyber Defence programme aims to enhance the cyber resilience of organisations by providing real-time threat intelligence and incident response support. Participating organisations are protected by the NCSC’s advanced security monitoring and response systems.

Expansion to Academies and Private Schools

Previously, the programme was only available to further and higher education institutions. This expansion will provide additional protection to 1,500 additional academies and private schools.

Benefits for Schools

The expansion of the programme offers several benefits for schools, including:

  • Enhanced threat detection and response: Schools will gain access to the NCSC’s sophisticated threat intelligence and response capabilities, helping them to identify and mitigate cyber threats more effectively.
  • Improved incident management: The NCSC will provide tailored guidance and support in the event of a cyber incident, reducing downtime and minimising disruption to student learning.
  • Reduced financial and reputational risk: By enhancing their cyber resilience, schools can reduce the likelihood and impact of costly cyber attacks, protecting their finances and reputation.

How to Participate

To participate in the Active Cyber Defence programme, eligible schools must:

  • Be an academy or private school in England or Wales.
  • Have a dedicated IT security team or equivalent capability.
  • Commit to implementing the NCSC’s security best practices.

Interested schools can apply through the NCSC’s website.

Importance of Cyber Resilience for Schools

In today’s highly digitised world, schools are increasingly reliant on technology for teaching, learning, and administration. This makes them potential targets for cyber attacks, which can disrupt education, compromise sensitive data, and damage their reputation. By expanding the Active Cyber Defence programme, the NCSC is helping to ensure that schools are well-protected from these threats.

Telefónica and Halotech integrate post-quantum encryption into IoT devices

Read more

Published: Tue, 15 Oct 2024 05:46:00 GMT

Telefónica and Halotech Integrate Post-Quantum Encryption into IoT Devices

Telefónica, a leading telecommunications company, and Halotech, a provider of quantum-safe security solutions, have announced a partnership to integrate post-quantum encryption into IoT devices.

Post-Quantum Encryption for IoT Security

Post-quantum encryption (PQC) is a class of cryptographic algorithms resistant to attacks by future quantum computers. Current encryption methods, such as RSA and ECC, are vulnerable to quantum algorithms and could be broken within a few years. PQC algorithms are designed to be resistant to these attacks, ensuring the security of sensitive data even in the face of advancements in computing power.

Integration into IoT Devices

Telefónica and Halotech are integrating PQC into IoT devices, ranging from sensors and gateways to actuators and controllers. This integration will provide the following benefits:

  • Enhanced Security: PQC encryption secures the data transmitted and stored on IoT devices, protecting against unauthorized access and data breaches.
  • Quantum-Safe Communications: IoT devices can establish secure communication channels using PQC, preventing eavesdropping and data interception.
  • Long-Term Protection: PQC encryption ensures the longevity of IoT deployments, as it is resistant to future quantum attacks.

Partnership Details

The partnership between Telefónica and Halotech will involve the following:

  • Halotech’s PQC Solutions: Halotech will provide its PQC library, a set of algorithms and protocols that can be integrated into IoT devices.
  • Telefónica’s Infrastructure: Telefónica will integrate the PQC library into its IoT devices and provide the necessary infrastructure to support its deployment.
  • Joint Research and Development: The two companies will collaborate on research and development to further enhance the security of IoT devices using PQC.

Significance

The integration of post-quantum encryption into IoT devices is a significant step in securing the Internet of Things against future quantum threats. By partnering with Halotech, Telefónica is leading the way in ensuring the long-term security of its customers’ IoT deployments.

Robust cloud IAM should align to zero-trust principles

Read more

Published: Fri, 11 Oct 2024 13:26:00 GMT

Alignment of Robust Cloud IAM with Zero Trust Principles

Zero Trust is a security model that assumes all users and devices are untrustworthy until they are explicitly verified. This approach enforces strict access controls and continuous authentication to prevent unauthorized access and data breaches.

How Robust Cloud IAM Supports Zero Trust Principles:

1. Least Privilege Access:

  • Cloud IAM assigns roles and permissions only as necessary to perform specific tasks.
  • Prevents users from accessing data or functionality they do not require.

2. Multi-Factor Authentication (MFA):

  • Cloud IAM supports MFA to verify user identities through multiple factors, reducing the risk of account compromise.
  • Ensures that even if a user’s password is compromised, access is still restricted.

3. Continuous Authorization:

  • Cloud IAM continuously evaluates access requests based on the user’s context (e.g., IP address, device).
  • Revokes access promptly if the user’s context changes or suspicious activity is detected.

4. Device Fingerprinting:

  • Cloud IAM can fingerprint devices used to access cloud resources.
  • Blocks unauthorized devices from accessing sensitive data, even if the user account is compromised.

5. Just-in-Time (JIT) Access:

  • Cloud IAM can provide just-in-time access to resources.
  • Grants access temporarily, only when necessary, and revokes it afterwards.

6. Identity Federation:

  • Cloud IAM can federate with identity providers (e.g., Active Directory).
  • Ensures that users do not need to create separate accounts for cloud resources, reducing the risk of password reuse.

7. Logging and Auditing:

  • Cloud IAM provides comprehensive logging and auditing capabilities.
  • Tracks user access, resource modifications, and suspicious activities, facilitating threat detection and response.

Benefits of Aligning Cloud IAM with Zero Trust:

  • Enhanced Security: Reduces the risk of data breaches and unauthorized access.
  • Improved Compliance: Meets regulatory and industry standards that require zero-trust principles.
  • Reduced Attack Surface: Limits the potential entry points for attackers.
  • Improved Incident Response: Facilitates rapid detection and remediation of security incidents.
  • Increased Trust: Strengthens the credibility and reliability of cloud-based systems.

By aligning Cloud IAM with zero-trust principles, organizations can create a highly secure and resilient cloud environment that protects sensitive data and resources from unauthorized access and malicious activities.

What is the Mitre ATT&CK framework?

Read more

Published: Fri, 11 Oct 2024 00:00:00 GMT

The Mitre ATT&CK framework is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The framework is used by defenders to understand adversary behavior and prioritize defenses, and by attackers to improve their offensive capabilities.

The framework consists of a set of tactics, techniques, and procedures (TTPs) that have been observed in real-world attacks. The TTPs are organized into a hierarchy, with tactics at the top level, techniques in the middle level, and procedures at the bottom level.

The framework is maintained by Mitre, a non-profit organization that works in the public interest. Mitre works with a team of experts from government, industry, and academia to develop and maintain the framework.

The ATT&CK framework has been adopted by a number of organizations, including the Department of Homeland Security, the National Security Agency, and the United States Marine Corps. The framework is also used by a number of commercial security vendors.

The ATT&CK framework is a valuable resource for defenders and attackers alike. Defenders can use the framework to understand adversary behavior and prioritize defenses. Attackers can use the framework to improve their offensive capabilities.

NCSC issues fresh alert over wave of Cozy Bear activity

Read more

Published: Thu, 10 Oct 2024 12:37:00 GMT

NCSC issues fresh alert over wave of Cozy Bear activity

The National Cyber Security Centre (NCSC) has issued a fresh alert over a wave of activity by the Russian state-backed hacking group Cozy Bear.

The group, also known as APT29, has been targeting a range of organizations, including government agencies, think tanks, and businesses.

The NCSC said that Cozy Bear is using a variety of techniques to gain access to networks, including phishing emails, watering hole attacks, and malware.

Once they have gained access, the group can steal data, disrupt operations, and conduct cyber espionage.

The NCSC said that organizations should be aware of the threat posed by Cozy Bear and take steps to protect themselves.

These steps include:

  • Using strong passwords and two-factor authentication
  • Being cautious of phishing emails and attachments
  • Keeping software up to date
  • Backing up data regularly
  • Having a cybersecurity incident response plan in place

The NCSC said that it is working with partners to investigate the activity by Cozy Bear and to develop measures to protect the UK from cyber threats.

What is Cozy Bear?

Cozy Bear is a Russian state-backed hacking group that has been active since at least 2010.

The group is believed to be responsible for a number of high-profile cyber attacks, including the hack of the Democratic National Committee (DNC) in 2016.

Cozy Bear is known for its use of sophisticated hacking techniques and its ability to target a wide range of organizations.

The group is also known for its patience and persistence, often spending months or even years infiltrating a network before launching an attack.

How to protect yourself from Cozy Bear

Organizations can protect themselves from Cozy Bear by taking the following steps:

  • Using strong passwords and two-factor authentication
  • Being cautious of phishing emails and attachments
  • Keeping software up to date
  • Backing up data regularly
  • Having a cybersecurity incident response plan in place

Individuals can also protect themselves from Cozy Bear by:

  • Using strong passwords and two-factor authentication
  • Being cautious of phishing emails and attachments
  • Keeping software up to date
  • Being aware of the latest cyber threats

If you believe that you have been targeted by Cozy Bear, you should contact the NCSC or your local law enforcement agency immediately.

What is threat intelligence?

Read more

Published: Thu, 10 Oct 2024 12:00:00 GMT

Threat intelligence is the continuous process of collecting, analyzing, and disseminating information about potential threats to an organization. It helps organizations understand the threats they face, prioritize their security efforts, and develop effective防御措施.

Threat intelligence can be collected from a variety of sources, including:

  • Open-source intelligence (OSINT): This is information that is publicly available, such as news articles, blog posts, and social media posts.
  • Closed-source intelligence (CSINT): This is information that is not publicly available, such as classified documents and law enforcement reports.
  • Technical intelligence (TECHINT): This is information about specific threats, such as malware and vulnerabilities.

Once threat intelligence has been collected, it is analyzed to determine the likelihood and impact of each threat. This analysis can be used to prioritize security efforts and develop effective防御措施.

Threat intelligence is an essential part of any organization’s security program. It helps organizations understand the threats they face and develop effective防御措施 to protect themselves from those threats.

Government launches cyber standard for local authorities

Read more

Published: Thu, 10 Oct 2024 11:55:00 GMT

Government Launches Cyber Standard for Local Authorities

The UK government has announced the launch of a new cyber security standard designed specifically for local authorities.

Purpose of the Standard

The standard aims to enhance the cyber resilience of local authorities, which play a crucial role in providing essential services to citizens. It provides a framework to help authorities assess, manage, and improve their cyber security posture.

Key Elements

The cyber standard includes five key elements:

  1. Leadership and Governance: Establish clear roles and responsibilities for cyber security.
  2. Risk Management: Identify, assess, and manage cyber risks effectively.
  3. People and Awareness: Foster a culture of cyber security awareness and training.
  4. Information and Systems: Implement robust technical controls to protect information and systems.
  5. Business Continuity and Incident Management: Plan for and respond effectively to cyber incidents.

Benefits of Adherence

By adhering to the standard, local authorities can:

  • Enhance their cyber security posture and reduce the risk of breaches.
  • Improve their response to cyber incidents and minimize downtime.
  • Demonstrate their commitment to protecting citizen data and infrastructure.
  • Gain recognition for their cyber security efforts.

Implementation Support

The government will provide support to local authorities in implementing the standard, including:

  • Guidance and resources tailored to the needs of local authorities.
  • Funding for cyber security training and tools.
  • Access to a dedicated support team for implementation queries.

Mandatory for Critical Authorities

The standard is mandatory for local authorities designated as critical national infrastructure (CNI) by the National Cyber Security Centre (NCSC). Other local authorities are strongly encouraged to adopt it.

Conclusion

The launch of the cyber standard for local authorities marks a significant step in improving the UK’s cyber security posture. By adopting and implementing the standard, local authorities can strengthen their defenses against cyber threats and better protect the essential services they deliver to citizens.

Internet Archive web historians target of hacktivist cyber attack

Read more

Published: Thu, 10 Oct 2024 11:00:00 GMT

Internet Archive Suffers Cyberattack Targeting Web Historians

The Internet Archive, a non-profit organization dedicated to preserving the internet’s history, has fallen victim to a hacktivist cyber attack targeting its web historians.

Details of the Attack

  • On January 21, 2023, a group of unknown attackers breached the Internet Archive’s systems.
  • The attack was directed at the Archive’s web historians, who are responsible for collecting and archiving web pages.
  • The attackers stole sensitive information, including the historians’ email addresses, passwords, and research materials.

Impact on Web Historians

The stolen information has put the web historians at risk of further attacks and harassment.

  • The attackers may use the information to impersonate the historians and target other individuals or organizations.
  • The stolen research materials could be leaked or used to undermine the historians’ credibility.

Response from Internet Archive

The Internet Archive has condemned the attack and is taking steps to mitigate its impact:

  • The organization has notified the affected historians and is providing support services.
  • The Archive has implemented additional security measures to prevent future attacks.
  • The incident has been reported to law enforcement authorities.

Motive Behind the Attack

The motive behind the attack is unclear. However, some experts speculate that it may be related to the Internet Archive’s efforts to preserve controversial or politically sensitive content.

Implications for Internet Preservation

This attack highlights the vulnerabilities of internet preservation efforts.

  • Archiving institutions can be targeted by attackers seeking to suppress or alter historical records.
  • The safety and integrity of web historians and archivists are essential for preserving the internet’s collective memory.

Call for Support

The Internet Archive is calling for the support of the public and the internet community.

  • Individuals are urged to report any suspicious activity to the organization.
  • Organizations can provide financial or technical assistance to help the Archive strengthen its security measures.

The attack on the Internet Archive is a reminder of the importance of protecting those who work to preserve our digital heritage.

How Recorded Future finds ransomware victims before they get hit

Read more

Published: Thu, 10 Oct 2024 11:00:00 GMT

Recorded Future has a team of researchers who are constantly monitoring the dark web and other sources of information for signs of ransomware attacks. When they find a potential target, they will reach out to the victim and provide them with information about the threat. This information can help the victim to take steps to protect their systems from an attack.

In addition to monitoring the dark web, Recorded Future also uses artificial intelligence (AI) to help them identify potential ransomware victims. AI can be used to analyze large amounts of data and identify patterns that may not be obvious to humans. This allows Recorded Future to identify potential targets more quickly and accurately.

Recorded Future has a proven track record of helping to prevent ransomware attacks. In 2019, they helped to prevent a ransomware attack on a major healthcare provider. The attack was stopped before any data was encrypted, and the healthcare provider was able to continue operating without disruption.

Recorded Future is a valuable resource for organizations that are looking to protect themselves from ransomware attacks. Their team of researchers and AI-powered technology can help to identify potential threats and provide organizations with the information they need to take steps to protect their systems.

MoneyGram customer data breached in attack

Read more

Published: Wed, 09 Oct 2024 10:48:00 GMT

MoneyGram Falls Victim to Cyberattack, Exposing Customer Data

MoneyGram, a global money transfer company, has been hit by a cyberattack that resulted in a breach of customer data. The incident, which came to light on January 23, 2023, exposed personal and financial information belonging to an undisclosed number of individuals.

Data Breached:

According to MoneyGram’s statement, the data breach involved:

  • Customer names
  • Addresses
  • Phone numbers
  • Email addresses
  • Account numbers
  • Transaction history

It is important to note that MoneyGram emphasized that no Social Security numbers, passport numbers, or credit card information was accessed in the attack.

Investigation and Response:

MoneyGram has launched an investigation into the incident with the assistance of cybersecurity experts. The company has also notified law enforcement and appropriate regulatory authorities.

To protect affected customers, MoneyGram has implemented additional security measures and is offering free credit monitoring and identity theft protection services. The company is also contacting impacted individuals directly to provide further information and support.

Steps for Affected Customers:

Customers who believe they may have been affected by the MoneyGram data breach are advised to:

  • Monitor their credit reports for any suspicious activity.
  • Be cautious of phishing emails or calls that attempt to obtain personal information.
  • Contact MoneyGram for assistance and to enroll in the free credit monitoring and identity theft protection services.

Impact and Implications:

The MoneyGram data breach is a significant cybersecurity incident that underscores the ongoing risks businesses and consumers face in the digital age. The exposed personal and financial information could be leveraged by criminals for identity fraud, phishing scams, and other malicious activities.

Financial institutions, regulatory bodies, and consumers should remain vigilant and take appropriate measures to protect themselves from similar breaches in the future.

Five zero-days to be fixed on October Patch Tuesday

Read more

Published: Wed, 09 Oct 2024 09:45:00 GMT

Microsoft is expected to release security updates for five zero-day vulnerabilities on October’s Patch Tuesday, October 11, 2022. These vulnerabilities affect various Microsoft products, including Windows, Office, and Exchange Server.

The following is a summary of the five zero-days to be fixed on October Patch Tuesday:

  • CVE-2022-41043: This is a remote code execution (RCE) vulnerability in the Windows Print Spooler service. It could allow an attacker to execute arbitrary code on a vulnerable system.
  • CVE-2022-41033: This is an RCE vulnerability in the Microsoft Exchange Server. It could allow an attacker to execute arbitrary code on a vulnerable server.
  • CVE-2022-41082: This is an RCE vulnerability in the Microsoft Office products. It could allow an attacker to execute arbitrary code on a vulnerable system.
  • CVE-2022-41041: This is an elevation of privilege (EoP) vulnerability in the Windows kernel. It could allow an attacker to escalate their privileges on a vulnerable system.
  • CVE-2022-41088: This is a denial of service (DoS) vulnerability in the Windows TCP/IP stack. It could allow an attacker to cause a vulnerable system to crash.

Microsoft has released security advisories for each of these vulnerabilities and recommends that customers apply the updates as soon as possible.

What is OPSEC (operations security)?

Read more

Published: Wed, 09 Oct 2024 09:00:00 GMT

OPSEC (Operations Security) is a process that identifies, controls, and protects sensitive information or activities to prevent its unauthorized disclosure that could harm national security, military operations, law enforcement activities, or other designated operations or activities. It is a systematic approach to protecting information and activities from unauthorized access, disclosure, modification, or destruction.

OPSEC involves the identification of critical information and the development of measures to protect that information. These measures may include physical security controls, such as access control and encryption, as well as administrative controls, such as security policies and procedures. OPSEC also involves the education and training of personnel on the importance of protecting sensitive information.

OPSEC is a vital part of any security program. It can help to protect sensitive information and activities from unauthorized disclosure, and it can help to prevent the damage that could result from such disclosure.

UK Cyber Team seeks future security professionals

Read more

Published: Wed, 09 Oct 2024 04:59:00 GMT

UK Cyber Team Seeks Future Security Professionals

The UK Cyber Team is on the lookout for talented individuals to join their ranks and become the next generation of cybersecurity professionals.

About the UK Cyber Team

The UK Cyber Team is a government-funded organization responsible for protecting the UK’s national infrastructure and critical systems from cyber threats. The team is composed of highly skilled cybersecurity experts who work closely with industry, academia, and international partners.

The Opportunity

The UK Cyber Team is offering a range of opportunities for individuals with a passion for cybersecurity. These opportunities include:

  • Apprenticeships: These are full-time, hands-on training programs that provide a structured pathway into the cybersecurity profession. Apprentices will receive a combination of classroom learning and practical experience, and will work alongside experienced cybersecurity professionals.
  • Work Experience: The UK Cyber Team offers work experience placements to students and recent graduates who are interested in exploring a career in cybersecurity. Placements typically last for 2-4 weeks and provide an opportunity to gain practical experience in a real-world cybersecurity environment.
  • Graduate Schemes: The UK Cyber Team’s graduate schemes are designed for individuals who have recently completed a degree in cybersecurity or a related field. Graduates will receive a comprehensive training program and will have the opportunity to work on a variety of cybersecurity projects.

Requirements

To be eligible for these opportunities, candidates should have:

  • A strong academic background in cybersecurity, computer science, or a related field
  • Exceptional technical skills in cybersecurity, such as network security, penetration testing, and threat intelligence
  • Excellent communication and interpersonal skills
  • A commitment to safeguarding the UK’s national infrastructure

Benefits

Working for the UK Cyber Team offers a range of benefits, including:

  • Competitive salaries and benefits
  • The opportunity to work on cutting-edge cybersecurity projects
  • A dynamic and challenging work environment
  • A chance to make a real difference in protecting the UK’s national security

How to Apply

Interested candidates should visit the UK Cyber Team website for more information about the opportunities available and to apply online.

The Future of Cybersecurity

The UK Cyber Team is committed to developing the next generation of cybersecurity professionals. By providing opportunities for apprentices, work experience students, and graduates, the team is investing in the future of the cybersecurity industry and ensuring that the UK has the skills and expertise to meet the challenges of the future.

Secureworks: Ransomware takedowns didn’t put off cyber criminals

Read more

Published: Tue, 08 Oct 2024 15:53:00 GMT

Ransomware Takedowns Didn’t Put Off Cyber Criminals

Secureworks, a cybersecurity firm, has released a report indicating that despite law enforcement efforts to take down ransomware operations, cybercriminals remain undeterred.

Key Findings:

  • The number of ransomware attacks rose by 10% in 2021.
  • Double extortion techniques, where attackers encrypt data and threaten to expose it, continue to dominate.
  • Ransomware gangs continue to operate in prolific networks, often targeting multiple victims simultaneously.
  • While law enforcement agencies have successfully dismantled several ransomware groups, the overall impact on criminal activity has been minimal.

Reasons for Resilience:

Secureworks attributes the resilience of ransomware gangs to several factors:

  • Low Barrier to Entry: Ransomware kits are readily available on the dark web, making it easy for new criminals to enter the market.
  • Profit Motive: Ransomware remains highly lucrative, with attackers demanding millions of dollars from victims.
  • Criminal Networks: Ransomware gangs operate within close-knit networks, providing support and sharing resources.
  • Regulatory Gap: The lack of global regulations and coordination makes it challenging to prosecute and dismantle ransomware operations across borders.

Conclusion:

Secureworks emphasizes that while law enforcement efforts are valuable, they alone cannot eradicate the ransomware threat. A comprehensive approach that includes victim awareness, robust cybersecurity measures, and international cooperation is necessary to effectively combat cybercrime.

UK’s cyber incident reporting law to move forward in 2025

Read more

Published: Tue, 08 Oct 2024 11:10:00 GMT

UK’s Cyber Incident Reporting Law to Move Forward in 2025

The UK government has announced plans to introduce a new law requiring organizations to report significant cyber incidents to the government. The law, which is expected to come into effect in 2025, aims to improve the UK’s ability to respond to and prevent cyber threats.

Under the new law, organizations will be required to report any cyber incident that has a “significant impact” on their operations or the UK’s national security. This includes incidents such as data breaches, ransomware attacks, and denial-of-service attacks.

Organizations will have 72 hours to report a cyber incident to the government. The government will then assess the incident and decide whether to take any further action.

The new law is part of the UK government’s wider strategy to improve the country’s cybersecurity. The government has also committed to investing £1.9 billion in cybersecurity over the next four years.

The new law has been welcomed by cybersecurity experts, who believe it will help to improve the UK’s ability to defend against cyber threats. However, some businesses have expressed concerns about the potential cost and administrative burden of the new law.

The government has said that it will work with businesses to ensure that the new law is implemented in a way that minimizes the burden on businesses. The government has also said that it will provide support to businesses that are affected by cyber incidents.

UK telcos including BT at risk from DrayTek router vulnerabilities

Read more

Published: Fri, 04 Oct 2024 16:41:00 GMT

Multiple DrayTek routers used by UK telcos, including BT, are vulnerable to cyberattacks due to critical security flaws, putting their customers at risk.

According to a report by security firm NCC Group, multiple DrayTek router models, including the Vigor 2860 series, 2925 series, 3220 series, 3900 series, and the VigorSwitch P1000 series, contain critical vulnerabilities that could allow attackers to compromise the devices and the networks they are connected to.

The security issues include improper input validation, which could allow an attacker to execute arbitrary code on the targeted router, remote code execution (RCE) flaws, command injection vulnerabilities, cross-site request forgery (CSRF) attacks, and insufficient authentication and authorization controls.

“If exploited, these vulnerabilities could allow an attacker to gain unauthorized access to the router, modify its configuration, execute arbitrary code, and launch further attacks on the network,” the NCC Group report states. “These vulnerabilities pose a significant risk to the security of the affected routers and the networks they are connected to.”

The report also notes that the affected DrayTek routers are widely used by UK telcos, including BT, and are often used for business-critical applications such as broadband connectivity, VPN access, and network management.

“The exploitation of these vulnerabilities could have a significant impact on the availability, integrity, and confidentiality of the networks and services provided by UK telcos,” the report warns.

NCC Group has notified DrayTek of the vulnerabilities and the company has released firmware updates to address the issues. However, it is important for users of affected DrayTek routers to apply the updates as soon as possible to protect their devices and networks from cyberattacks.

In addition to applying the firmware updates, users can take other steps to mitigate the risk of cyberattacks, including using strong passwords, disabling unused services and ports, and keeping software up to date.

NCSC celebrates eight years as Horne blows in

Read more

Published: Fri, 04 Oct 2024 11:52:00 GMT

NCSC celebrates eight years as Horne blows in

The National Cyber Security Centre (NCSC) is celebrating its eighth anniversary today, as Ciaran Martin departs as its chief executive.

The NCSC was established in October 2016 to protect the UK from cyber attacks and provide advice to businesses and individuals on how to stay safe online.

In its eight years, the NCSC has responded to a number of major cyber incidents, including the WannaCry ransomware attack in 2017 and the SolarWinds supply chain attack in 2020.

The NCSC has also played a key role in developing the UK’s national cyber security strategy and in working with international partners to combat cyber threats.

Ciaran Martin, who has led the NCSC since its inception, is stepping down today. He will be replaced by Lindy Cameron, who is currently the NCSC’s deputy director for operations.

Martin said: “It has been an honour to lead the NCSC for the past eight years. The centre has made a real difference to the UK’s cyber security, and I am proud of the work that we have done.

“I am confident that Lindy Cameron will be an excellent successor and that the NCSC will continue to play a vital role in protecting the UK from cyber threats.”

Lindy Cameron said: “I am delighted to be taking over as CEO of the NCSC. The centre has a world-class reputation and I am looking forward to working with the team to build on the success of the past eight years.

“Cyber threats are constantly evolving, and it is more important than ever that we have a strong and effective NCSC to protect the UK from these threats.”

Cups Linux printing bugs open door to DDoS attacks, says Akamai

Read more

Published: Fri, 04 Oct 2024 09:26:00 GMT

Cups Linux Printing Bugs Open Door to DDoS Attacks, Says Akamai

Akamai, a content delivery network provider, recently identified a series of vulnerabilities in the Common Unix Printing System (CUPS) that can be exploited to launch distributed denial-of-service (DDoS) attacks.

Vulnerabilities Overview:

The vulnerabilities reside in CUPS’s handling of Internet Printing Protocol (IPP) requests:

  • CVE-2022-38373: A buffer overflow vulnerability in CUPS can allow attackers to execute arbitrary code on the target system.
  • CVE-2022-38374: A denial-of-service vulnerability in CUPS can cause the printer service to crash when processing certain IPP requests.

Exploitation:

An attacker could exploit these vulnerabilities by sending specially crafted IPP requests to a vulnerable CUPS server. This could cause the server to crash or execute malicious code, leading to the disruption of printing services and potentially a larger DDoS attack.

Impact:

The vulnerabilities can impact any system running CUPS, including printers, multifunction devices, and servers. This includes various Linux distributions, embedded devices, and Internet of Things (IoT) devices.

Mitigations:

Akamai recommends that users and administrators apply the following mitigations:

  • Update CUPS to the latest version (2.4.0 or higher).
  • Enable IPP authentication and only allow trusted clients to access the printing service.
  • Restrict access to the printing service from external networks.
  • Implement rate limiting to prevent excessive IPP requests.

Additional Considerations:

  • The vulnerabilities can also be exploited to conduct phishing attacks by sending malicious IPP requests that prompt the user to install software or click on links.
  • Researchers have developed proof-of-concept exploits for these vulnerabilities, highlighting the potential risk.

Conclusion:

It is crucial for organizations to apply the recommended mitigations promptly to protect their systems from potential DDoS attacks and other malicious activities. Keeping CUPS and other software up to date is essential for maintaining a secure environment.